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Read data from the HTTP request 



Create a hash table (name, value pairs) with parameters for the Filter Engine 
including HTTP headers, Content type, client IP address, HTTP method (GET 
and SET) and the actual data in the request 



Identify if the data has been signed. If not signed, call Filter Engine with the 
hash table 



If signed, URL decode the PKCS#7 message received from the Plug-In and 
insert it into the hash table 



Call the Filter Engine with the hash table 



Process the return value from the Filter Engine 



If the return value from the Filter Engine indicates that the web application has 
been called, then display the next page 



If the return value from the Filter Engine indicates that the page needs to be 
signed, the state of the Filter Engine is stored in a cookie and the page with the 
Plug-In is displayed 



If the return value from the Filter Engine indicates that the Client Certificate is 
GOOD, then change the State and send a request to Filter Engine to retrieve 
the next page. 



For all other values or exceptions, display error page to the client. 
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Filter Engine Startup Steps 


802-^ 


Loads Filter Engine properties from the properties file 


804 


Open log files 


806^ 


Load SSL or Utility Certificates 


808^ 


Load RMI server Policy File 


810^ 


Load Rules files into the memory 


812^ 


Validate Rules to verify correct formatting 




The Filter Engine Interface is now ready to receive requests 




FIG. 8 




Filter Engine Processing Steps 


902^ 


Receives HTTP Request data and the State from the Servlet 


904 


If the State passed from the Servlet is FE_NEW_REQUEST. the Filter Engine 
compares the request against the signing rules and determines whether the 
request has to be signed or not. It builds the Return Object specified in the 
FE_NEW_REQUEST State. 


906 


If the State passed in from the Servlet is FE_SIGNED_DATA, then it calls the 
Bank Interface to check the status of the Certificate. After interacting with the 
Identrus network, the Bank Interface returns the status. The status and the data 
in the CMS message are put into a Return Object and sent to the Servlet 


908^ 


If the State passed from the Servlet is FE_REQUEST_CHECKED, indicating 
the final stage of a signed transaction, the Web Application is called. The 
original page is retrieved from the Web Application and its content is returned to 
the Servlet in a Return Object 




Log all signed request to the event log and all errors to the error log 




All exceptions are returned to the Servlet as part of the Return Object 
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Bank Interface Startup Steps 

1102 ^ Loads Bank Interface properties from the properties file 

1104 Open log files 

1106 ^ Load SSL or Utility Certificates 

1108 ^ Load RMI server Policy File 

Load cryptographic modules, either software or hardware (Hardware Security 
1110--^ Module API) as specified in the properties file 

At this stage the Bank Interface is ready to receive service request 

Call Bank Interface service manager with the DSMS request that contains the 
name of the service, mode of the service and the message 
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Steps . 

Retrieve Relying Customer and Root Certificate from the server 



Retrieve Subscribing Customer and Issuing Participant's Certificate from the 
CMS (Cryptographic Message Syntax) also referred as PKCS#7. 



Verify signature on the CMS message 



Verify signature on the Subscribing Customer's Certificate using the Issuing 
Participant's Certificate 



Verify signature on the Issuing Participant's Certificate using the Identrus Root 
Certificate that belongs to the Relying Participant 



The Validity period is then checked on the two Certificates received against the 
current date 



Retrieve the OCSP responder's URL from the Relying Customer's certificate 

Create an OCSP request for the Subscribing Customer's Certificate signed by 
the Relying Customer. All OCSP requests contain a Service Locator 
Extension, which is set by the Authority Information Access (AIA) extension 
defined in this certificate 



Log the OCSP request to the transaction log 



Create HTTP(S) connection to the OCSP responder and send the OCSP 
request. 



Receive OCSP response from the responder and verify the signature using the 
OCSP Responder's Certificate 



Get the status of the certificate from the Response 



Repeat steps 8 through 1 1 for the Issuing Participant and the Relying 
Participant's OCSP Responder's certificate 



Log the OCSP response to the transaction log 



If the status of all the responses are GOOD return GOOD, else return the status 



Log all signed request to the event log and all errors to the error log 
All exceptions are returned to the client as part of the Return Object 
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# 


Description 


Protocol 


1301 


User clicks 'Submit' button on HTML Form in Web Browser 


HTML Ul 


1302 


Web Browser posts form data to SDK Web Server 


HTTP 


1303 


SDK Web Server passes all requests to Servlet. 




1304 


Servlet passes request to Filter Engine. 


RMI 


1305 


Filtpr Pnninp rrpatp^ a Rpturn-to-Browser URL ^as a GET with 
parameters for data) representing the data of the original 
POST or GET form posting and returns it along with 
instructions to get the data signed to the Servlet 


RMI 

r\ivi 1 


1306 


Servlet builds a response with 

1 . An Applet tag pointing to the Client Interface Applet OR 

2. A call to a browser plug-in and the arguments Return-to- 
Browser URL and the data to sign. 


Servlet 


1307 


SDK Web Server returns the Servlet's response to the Web 
Browser. 


HTTP 


1308 


Web Browser displays the HTML Page (requests the Applet if 
necessary) 


HTTP 


1309 


Web Browser displays Client Interface Applet or activates the 
plug-in, 

Th^ arniimpntQ arp thp H^tn tn ^inn and no^^ihlv a URL 


Browser 


1310 


lJ<;pr rlirks button in to aoDrove sianina of form data. 


GUI 


1311 


Client Interface faoolet or oluain^ calls Smart Card API to reauest 
that the Smart Card sign an SHA-1 hash of the form data. 


Client Interface 


1312 


User enters PIN when driver ask for it. 


OS Dialog 


1313 


Smart Card API returns signed form data to Client Interface. 


Client Interface 


1314 


Client Interface makes a HTTP connection to the SD1(Web 
Server and submits the signed form data. 


HTTP 


1315 


SDK Web Server passes request to Servlet 


Servlet 


1316 


Servlet passes request to Filter Engine. 


RMI 


1317 


Filter Engine calls Bank Interface with signed data. 


RMI 
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1318 


The Bank Interface calls the Open Card API to request that the 
HSM sign an SHA-1 hash of the request to the bank. 


Java Function 
Call 


1319 


Open Card API calls HSM OS Driver 


Java Native Call 


1320 


HSM OS Driver calls HSM to perform signature. 


OS-Level 
Hardware Call 


1322 


HSM OS Driver returns signed request to Open Card API 


Java Native Call 


27 


Onpn C'.arfi API rptiirn^ ^innpH rpfiup^t to Bank Interface 


Java Function 
Call 




Rank Intprfapp rall< thp rpl\/inn nartx/'^ hank 


Warranty/Status 
Check 


2029 


Relying party's bank calls the issuing party's bank. 


Warranty/OCSP 


1330 


Issuing party's bank returns a signed response to relying 
party's bank. 


Warranty/OCSP 


1331 


Relying party's bank then calls the root. 


Warranty/OCSP 


1332 


Root returns a signed response to the relying party's bank. 


Warranty/OCSP 


1333 


Relying party's bank returns a signed response to the Bank 
Interface. 


Warranty/Status 
Check 


1 00*T 


Bank Interface validates the signed data and then records the 
transaction in the log. 


File I/O 


1335 


Bank Interface validates the signed data and then stores the 
signed data and the signed response from the relying party's 
bank into the SDK's database. 


JDBC 


1336 


Bank Interface returns an OK or failure result to Filter Engine 


RMI 


1337 


Filter Engine returns failure result to Servlet or passes on initial 
request to App Sen/er. 


RMI 


1338 


Servlet builds response indicating failure for SDK Web Server. 


Servlet 


1339 


SDK Web Server returns servlet response to the browser if 
failure. 


HTTP 


45 


Web Application's Web Server calls the Web Application 


ISA 


46 


Web Application generates and returns its response. 


ISA 


47 


Web Application's Web Server returns the response to the 
Filter Engine 


HTTP 
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1501 


ll^pr rpnijp^t^ form that will reauire sianina when submitted 
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HTML Ul 


1502 


Wph Rrnw^pr ^pnd^ rpnup^t to Web Server 
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HTTP 


1503 


Web server forwards request to Web Application. 


ISA 


1504 


vveo Appiicaiion reiurns an n i ivil pciyc loi uic wtsu ocivci lu 
return which references the Client Interface 


10r\ 


1505 


Web Server returns the HTML Page to Web Browser. 


HTTP 


1506 


Web Browser requests Client Interface from Web Server. 


HTTP 


1507 


Web Server retrieves Client Interface. 


OS File System 


1508 


Web Server returns Client Interface. 


HTTP 


1509 


User clicks the submit and sign button in the web page. 


HTML Ul 


1510 


Web Browser calls Client Interface. 


Client Inerface 
Technology 


1511 


Client Interface calls Windows PC/SC to have Smart Card sign 
data. 


OS API 


1512 


User enters PIN. 


OS Dialog 


1513 


vvinaows ru/oLr cans oman oara lo sign aaia. 


WO Level 

Hardware Call 


1514 


Windows PC/SC returns signed data to Client Interface 


OS API 


1515 




Client Inerface 

1 1 W III III W 1 1 M WW 

Technology 


1516 


Web Browser posts signed data. 


HTTP 


1517 


Web server passes signed posting to Web Application. 


ISA 


1518 


Integration Code added to the Web Application calls the Bank 
Interface to verify the signature on the form. 


Bank Interface 
Technology 


1519 


Bank Interface calls HSM OS Driver to sign request. 


OS-API 


1520 


HSM OS Driver calls HSM to sign request. 


OS-Level 
Hardware Call 
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HSM OS Driver returns signed request to Bank Interface 


OS-API 


1522 


Bank Interface calls the Relying Party's Bank. 


Warranty/Status 


1523 


Relying Party's Bank calls the Issuing Party's Bank. 


Warranty/OCSP 


1524 


Issuing Party's Bank returns a signed response to Relying 
Party's Bank. 


Warranty/OCSP 


1525 


Relying Party's Bank calls the Root. 


Warranty/OCSP 


1526 


Root returns signed response to the Relying Party's Bank. 


Warranty/OCSP 


1527 


Relying Party's Bank returns signed response to the Bank 


Warranty/Status 


1528 


Bank Interface stores the signed data and the signed OK 
response from the relying party's bank into the Signed 
Documents repository. 


Database- 
Access API 


1529 


Bank Interface writes transaction log message. 


File I/O 


1530 


Bank Interface returns result to Web Application. 


Bank Interface 
Technology 


1531 


Web Application interprets the form post and returns the next 
page to the Web Server or an error. 


ISA 


1532 


Web Server returns the page to the Web Browser. 


HTTP 
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